0

The Internet from every angle has always been a house of cards held together with defective duct tape. It’s a miracle that anything works at all. Those who understand a lot of the technology involved generally hate it, but at the same time are astounded that for end users, things seem to usually work rather well.

Today I want to talk about all of the egregious security disasters across the Internet over the last few months, but as Inigo Montoya once said: “No, there is too much. Let me sum up.” Alas, even an incomplete summary is a lengthy litany of catastrophe. Let’s see:

…until they get hacked. And then, of course, they blame the technology.

I’m sorry to report, however, that that blame is not entirely misplaced. Because

3. Security is usually an afterthought.

No, if that. Because security is hard, and users are lazy, and so making systems which are secure even for ordinary users takes way too much time and effort, so too many companies just hack together something slapdash and hope nothing goes terribly wrong.

We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; [etc]. Any SSL connection from any of these programs is insecure against a man-in-the-middle attack. The root causes of these vulnerabilities are badly designed APIs of SSL implementations.

My friend Will Sargent recently wrote a series of blog posts about what one has to do to actually correctly enable secure HTTP connections in Java. It’s a superb primer — but it’s tens of thousands words long, because it has to be:

It’s terrific, and as a developer who’s wrestled with SSL certificates on Android with Java myself, I’m really glad he wrote it; but in a better world — not a perfect world, mind you; really, just a non-disastrous one — he wouldn’t have had to.

Credit cards are even worse, of course. The Target hack, which was at the point-of-sale, would have been prevented by the use of chip-and-PIN technology…which is widespread, y’know, everywhere else in the developed world, and has been for many years. In the UK, chip-and-PIN was piloted in 2003 and rolled out nationwide in 2004. That’s a full decade ago. But US banks and retailers have dragged their heels — and now, as a direct result, they’re fish in a barrel.

To be fair, we have seen some moves in the right direction. Facebook — which seems to have impressive security, perhaps unsurprising in a company led by a hacker — last month released a new tool to make Android apps safer. There’s talk of a common server-security platform at the “Goldilocks” hypervisor level. And the FTC is beginning to pay attention and cite violators, including Fandango and Credit Karma:

FYI: if you disable SSL/TLS certificate validation in your app, you could get a call from the FTC: http://t.co/PpvlFeuAj0

But those are just a few flickers of life in a security-comatose body corporate. Meanwhile, we’re in an arms race, and while the attackers are training in the Shaolin Temple and gaining valuable work experience in the French Foreign Legion, the defenders are lazing around drinking beer because the dukes and duchesses told them to drain the moats, prop the gates open, and lose the arms and armor, all in order to encourage trade. I’m sure that always seems like such an awfully good idea … right until the day Genghis Khan rides up the road.

(1) For those coders among you who, previous to the GnuTLS revelation, blamed Apple’s ifs-without-braces code style for the bug:

Guys, no need to apply updates to GnuTls, I have reviewed the code and it has braces on every if statement.

0

CrunchBase

OverviewSSL.com is a globally trusted certificate authority that provides simple yet secure ssl certificate solutions. Founded in 2002, our philosophy continues to be the development of digital certificates that are easy to deploy and offer a high degree of security and assurance. From unlimited subdomain Wildcard SSL to Enterprise trust level EV SSL, we work closely with the development community to ensure …